OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Section B.6 - Resource attributes

On 27 July, Tim Moses writes: RE: [xacml] Section B.6 - Resource attributes
 > 1. "In the former case, the attribute identifier SHALL appear in the
 > ResourceAttributeDesignator> element."
 > 
 > I only included this sentence as a counterpart to the earlier sentence: "The
 > corresponding attributes MAY appear in the <Resource> element of the request
 > context".  You are right; it's redundant.  I'll take it out.
 > 
 > 2. OK.  I'll remove any restriction on the type of resource-id.
 > 
 > 3. I'll drop the xpath attribute.
 > 
 > 4. I'll add the document-id attribute.  Can we say anything about this
 > attribute and what it might contain?

The document-id attribute is defined in the Hierarchical
Resources Profile.  It will be included in Section 6 "New
attribute identifiers for hierarchical resources", but is
currently only defined Section 3.1 "Notes in an XML document"
after the "Additional attributes MAY be included ..." paragraph.

I don't know if we want to define this also in the core XACML
spec.

 > How about this? ...
 > 
 > Draft 13
 > 
 > These identifiers indicate attributes of the resource.  The corresponding
 > attributes MAY appear in the <Resource> element of the request context and
 > be accessed by means of a <ResourceAttributeDesignator> element, or by an
 > <AttributeSelector> element that points into the <Resource> element of the
 > request context.
 > This attribute identifies the contents of the
 > <xacml-context:ResourceContent> element.
 > urn:oasis:names:tc:xacml:1.0:resource:document-id

The Hierarchical resources profile says the following:

  The <AttributeValue> of this <Attribute> SHALL be a URI that
  identifies the XML document of which the requested resource is
  a part.  This <Attribute> MAY specify an Issuer.

If you also define document-id in the core spec, then I think it
should mention that the DataType SHALL be &xml;anyURI.

 > This attribute identifies the resource to which access is requested.  Note:
 > the resource to which access is requested may not be the same as the
 > resource supplied in the <xacml-context:ResourceContent>
element.

I think I would say something like, "If an
<xacml-context:ResourceContent> element is provided, then the
resource to which access is requested SHALL be all or a portion
of the resource supplied in the <xacml-context:ResourceContent>
element."

Anne

 > urn:oasis:names:tc:xacml:1.0:resource:resource-id
 > This attribute identifies the namespace of the top element of the contents
 > of the <xacml-context:ResourceContent> element.  In the case where the
 > resource content is supplied in the request context and the resource
 > namespace is defined in the resource, the PDP SHALL confirm that the
 > namespace defined by this attribute is the same as that defined in the
 > resource.  The type of the corresponding attribute SHALL be
 > "http://www.w3.org/2001/XMLSchema#anyURI";.
 > urn:oasis:names:tc:xacml:2.0:resource:target-namespace
 > 
 > 
 > 
 > 
 > -----Original Message-----
 > From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] 
 > Sent: Tuesday, July 27, 2004 11:26 AM
 > To: Tim Moses
 > Cc: 'XACML'
 > Subject: Re: [xacml] Section B.6 - Resource attributes
 > 
 > 
 > On 27 July, Tim Moses writes: [xacml] Section B.6 - Resource attributes  >
 > Colleagues - Some proposed changes to Section B.6.  Any comments?  All the
 > > best.  Tim.  > 
 >  > Draft 13
 >  > 
 >  > These identifiers indicate attributes of the resource.  The corresponding
 > > attributes MAY appear in the <Resource> element of the request context and
 > > be accessed by means of a <ResourceAttributeDesignator> element, or by an
 > > <AttributeSelector> element that points into the <Resource> element of the
 > > request context.  In the former case, the attribute identifier SHALL
 > appear  > in the <ResourceAttributeDesignator> element.
 > 
 > I don't understand why the last sentence is needed.  If the attribute is in
 > the <Resource> element and is accessed by means of a
 > <ResourceAttributeDesignator> element, doesn't that mean the attribute
 > identifier must by definition appear in the <ResourceAttributeDesignator>
 > element?
 > 
 >  > This identifier indicates the URI of the resource.  The type of the  >
 > corresponding attribute SHALL be "http://www.w3.org/2001/XMLSchema#anyURI";.
 >  > urn:oasis:names:tc:xacml:1.0:resource:resource-id
 > 
 > The Hierarchical Resource Profile for XML resources proposes that the
 > DataType of the resource-id be "xpath-expression", identifying the specific
 > node of the resource that is being requested.  In this case, the optional
 > "document-id" resource Attribute can be used to hold the URI of the entire
 > XML document.
 > 
 > I think Daniel also objected to forcing resource-id to be a URI. Or maybe it
 > was just a URI conforming to my proposed hierarchical URI scheme :-)
 > 
 > So is there a reason resource-id must be a URI?
 > 
 >  > This identifier indicates the name-space of the top element of the
 > resource.  > In the case where the resource content is supplied in the
 > request context  > and the resource namespace is defined in the resource,
 > the PDP SHALL confirm  > that the namespace defined by this attribute is the
 > same as that defined in  > the resource.  The type of the corresponding
 > attribute SHALL be  > "http://www.w3.org/2001/XMLSchema#anyURI";.
 >  > urn:oasis:names:tc:xacml:2.0:resource:target-namespace
 > 
 >  > This identifier indicates an xpath expression whose context node is the
 > > <xacml-context:Request> element.  This attribute SHALL only appear in the
 > > <ResourceAttributeDesignator> element.  The type of the corresponding  >
 > attribute SHALL be  >
 > "urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression".
 >  > urn:oasis:names:tc:xacml:2.0:resource:xpath
 > 
 > I proposed that we drop the "xpath" Attribute, since there is no need for it
 > with the Hierarchical Resource Profile. "resource-id" in that case will
 > contain the xpath expression pointing to the requested node.
 > 
 > Note that the reason for putting the xpath-expression pointing to the
 > requested node into the "resource-id" Attribute is so that the Response
 > <Result> ResourceId XML attribute can copy the resource-id Attribute and
 > have it be an unambiguous reference to the node to which the <Result>
 > corresponds.
 > 
 > Anne
 > -- 
 > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
 > Sun Microsystems Laboratories
 > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
 > Burlington, MA 01803-0902 USA  Fax: 781/442-1692

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]